[bitcoin-dev] Sum of the keys attack on taproot
vjudeu
vjudeu at gazeta.pl
Sat May 15 10:21:00 UTC 2021
We have some taproot address with private key "a" and public key "a*G", owned by Alice. Bob wants to take Alice's coins without her permission. He owns taproot address with private key "b" and public key "b*G". He knows "a*G" by exploring the chain and looking for P2TR outputs. To grab Alice's funds, he creates "(b-a)*G" taproot address and send some small amount to this address. Then, Bob can create a transaction with two inputs, taking coins from "a*G" and "(b-a)*G" addresses. All that is needed is producing a signature matching the sum of the public keys used in taproot, which is "(a+b-a)*G", reduced to "b*G", so Bob uses his "b" private key to produce Schnorr signature. Is there any protection from this attack?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210515/9b58f6eb/attachment.html>
More information about the bitcoin-dev
mailing list